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Abstract 

The  embedded  machine  is  a  virtual  machine  in  the  spirit  of  the  Java  virtual  machine  with 
specific  extensions  for  embedded  real-time  computing  on  distributed  platforms.  The  embedded 
machine  provides  an  abstract  platform  for  generating  distributed  code  from  high-level  embedded 
programming  languages.  The  instruction  set  of  the  embedded  machine  has  a  formal  synchronous 
(zero-delay)  semantics  which  provides  synchronous  control  of  scheduled  computation  and  com¬ 
munication  with  respect  to  the  progress  of  real-time  and  the  occurrences  of  events.  The  serializa¬ 
tion  of  concurrent  scheduled  computation  and  communication  is  defined  non-deterministically 
which  makes  the  embedded  machine  compatible  with  any  scheduling  algorithm.  A  program  of 
the  embedded  machine  determines  when  to  schedule  task  invocations  and  message  delivery  but 
not  how.  A  scheduling  algorithm  is  thus  a  parameter  of  a  program  of  the  embedded  machine. 


1  Introduction 

The  embedded  machine  or  E  machine  for  short  is  a  virtual  machine  in  the  spirit  of  the  Java  virtual 
machine  (JVM)  [LY99]  with  specific  extensions  for  embedded  real-time  computing  on  distributed 
platforms.  The  E  machine  provides  an  abstract  platform  for  generating  distributed  code  from 
high-level  embedded  programming  languages  such  as  synchronous  reactive  languages  [Hal93],  e.g., 
Lustre  [HCRP91]  or  Esterel  [BerOO],  or  time-triggered  languages  like  Giotto  [HHKOO].  A  virtual 
machine  not  only  supports  the  generation  of  portable  code  but  also  helps  to  identify  the  key  services 
of  target  platforms  which  support  the  execution  of  a  given  class  of  programming  languages.  The 
main  objective  of  this  paper  is  to  define  a  minimal  set  of  instructions  which  are  essential  for 
distributed  code  generation  for  event-  and  time-triggered  programming  languages  with  explicit 
real-time  constructs. 

The  instruction  set  of  the  E  machine  is  called  E  code.  Unlike  Java  bytecode,  E  code  allows  to 
specify  the  computational  behavior  of  a  system  relative  to  the  progress  of  time  and  the  occurrences 
of  events.  The  E  machine  controls  the  execution  of  tasks  and  the  delivery  of  messages.  In  fact, 
the  E  machine  can  be  seen  as  a  meta  machine  controlling  the  execution  of  other  non-embedded 
machines  which  execute  tasks  and  transmit  messages.  A  task  in  this  model  is  single-threaded  code 
without  any  synchronization  points  but  with  known  worst-case  execution  time  (WCET)  [TEWOO]. 
The  communication  to  and  from  a  task  is  not  performed  by  the  task  but  by  the  E  machine  prior 
to  task  execution  and  after  task  completion.  Similarly,  we  model  messages  as  tasks  with  known 
worst-case  latency  (WCL)  where,  however,  the  emphasis  is  not  on  the  code  of  a  message  but  on  its 
input  and  output  interface  which  effectively  determines  sender  and  receiver. 

*This  work  has  been  supported  by  Boeing  on  DARPA  SEC  grant  F33615-99-C-1500. 
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The  E  machine  abstracts  from  the  services  of  a  real-time  operating  system.  In  the  semantics  of 
the  E  machine  we  distinguish  synchronous  and  scheduled  computation.  Synchronous  computation 
is  performed  logically  with  zero  time  delay  whereas  scheduled  computation  takes  time.  In  an 
implementation  of  the  E  machine,  synchronous  computation  may  be  performed  in  the  kernel  context 
whereas  scheduled  computation  may  be  done  in  the  user  context.  Erom  the  perspective  of  scheduled 
computation  the  activity  of  the  kernel,  i.e.,  of  the  E  machine,  is  instantaneous  whereas  the  kernel 
sees  user  activity  as  scheduled  computation  which  takes  time.  In  an  implementation,  special  care 
has  to  be  taken  to  enforce  this  semantics,  e.g.,  any  portion  of  the  memory  accessed  by  a  task  should 
not  be  accessible  to  any  other  tasks. 

Synchronous  computation  in  the  E  machine  is  sequential  whereas  scheduled  computation  is 
concurrent.  It  is  thus  necessary  to  serialize  scheduled  computation  which  is  usually  done  in  online 
systems  using  priorities.  A  scheduling  algorithm  computes  the  required  priority  assignment.  The 
E  machine  uses  the  synchronous  semantics  to  specify  the  scheduled  reaction  of  a  system  to  the 
progress  of  time  and  the  occurrences  of  events.  A  scheduled  reaction  is  the  result  of  scheduled 
computation  or  communication.  Serialization  of  scheduled  computational  activity  in  the  E  ma¬ 
chine  is  defined  non-deterministically  which  makes  the  E  machine  compatible  with  any  scheduling 
algorithm.  A  program  of  the  E  machine  determines  when  to  schedule  task  invocations  and  message 
delivery  but  not  how.  A  scheduling  algorithm  is  thus  a  parameter  of  E  code. 

The  E  machine  has  an  environment  and  an  output  interface  as  well  as  an  internal  memory. 
Interfaces  and  memory  are  sets  of  ports.  A  port  is  a  variable  with  finite  type  and  a  unique  identifier. 
The  value  of  a  port  in  the  environment  interface  is  determined  by  the  physical  environment  of  the 
E  machine.  The  port  is  read-only  for  the  machine.  On  the  other  hand,  the  value  of  a  port  in  the 
output  interface  is  set  by  the  E  machine  and  may  affect  the  physical  environment.  The  port  is 
read-only  for  the  environment.  The  E  machine  has  read  and  write  access  to  its  internal  memory 
which  is  not  observable  by  the  environment.  We  distinguish  signal  and  value  ports.  A  signal  port 
is  an  integer  port  whose  valuations  are  non- decreasing  with  respect  to  the  progress  of  time.  A 
signal  counter  is  a  valuation  of  a  signal  port.  We  require  that  signal  counters  are  increased  at 
most  by  one  at  any  instance.  We  speak  of  the  occurrence  of  a  signal  whenever  a  signal  counter  is 
increased  by  one.  A  value  port  is  an  uninterpreted  port  with  arbitrary  type.  Thus  value  ports  in 
the  environment  interface  may  model  state  whereas  signal  ports  may  model  change  of  state.  If  a 
signal  port  in  the  environment  interface  is  driven  by  a  real-time  clock  its  signal  counter  corresponds 
to  absolute  time. 

A  configuration  of  the  E  machine  contains  a  schedule  and  valuations  for  all  ports  of  the  ma¬ 
chine.  A  schedule  is  a  list  of  triggers  which  determines  when  to  invoke  E  code  of  the  machine.  A 
trigger  {s,m,l)  consists  of  a  signal  port  s,  a  signal  counter  m,  and  an  E  code  program  address  1. 
A  trigger  is  active  when  the  signal  counter  of  s  reaches  m.  Then  the  E  machine  executes  the 
E  code  at  Z.  If  s  is  driven  by  a  real-time  clock,  m  refers  to  the  absolute  time  of  this  clock.  The  key 
instruction  of  the  E  machine  is  the  embedded  jump.  It  inserts  new  triggers  into  the  schedule  of  the 
machine.  An  embedded  jump  has  as  arguments  a  signal  port  s,  a  signal  counter  n,  and  a  program 
address  1.  The  signal  counter  n  determines  relative  to  the  current  signal  counter  /c  of  s  how  long 
to  wait  before  invoking  the  E  code  at  Z.  It  will  add  a  trigger  {s,k  +  n,l)  to  the  schedule.  Multiple 
active  triggers  are  executed  in  the  order  of  the  execution  of  the  according  embedded  jumps.  If  s 
is  driven  by  a  real-time  clock,  n  refers  to  relative  time.  E  code  uses  relative  time  which  will  be 
translated  to  absolute  time  during  the  execution  of  the  code. 

There  are  two  call  instructions  to  invoke  tasks  and  to  transmit  messages,  respectively.  In  order 
to  execute  tasks,  the  synchronous  call  instruction  invokes  a  task  and  blocks  until  the  execution  of 
the  task  is  completed.  The  scheduled  call  instruction  invokes  a  task  and  then  proceeds  immediately 
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to  the  next  instruction.  We  assume  that  some  scheduling  algorithm  assigns  a  priority  to  this 
task.  The  result  of  the  scheduled  invocation  will  be  available  some  time  later.  We  model  message 
delivery  in  a  similar  way.  Note  that  emitting  signals  by  an  E  machine  is  only  possible  through 
scheduled  invocations.  A  signal  counter  of  a  given  signal  port  may  be  increased  upon  completion 
of  scheduled  computation  but  not  synchronous  computation.  Note  also  that  the  E  machine  only 
checks  the  presence  of  signals  but  the  absence  as  opposed  to  the  synchronous  reactive  semantics, 
e.g.,  of  Esterel. 

The  E  machine  is  related  to  automata-based  approaches  like  the  object  code  (OC)  [PS98]  for 
generating  code  from  Lustre  and  Esterel.  An  OC  program  is  an  automaton  whose  state  transitions 
determine  the  reaction  of  a  system  with  respect  to  the  set  of  all  signals  in  the  system  without 
keeping  track  of  signal  counters.  The  E  machine,  on  other  hand,  may  schedule  reactions  with 
respect  to  a  single  signal  and  its  signal  counter.  Conceptually,  the  E  machine  implicitly  partitions 
the  states  of  an  OC  program  into  several  states  with  possibly  less  transitions.  In  particular,  in  the 
context  of  real-time  clocks,  the  E  machine  allows  to  code  specific  time-triggered  reactions. 

Eor  distributed  code  generation  we  define  the  distributed  E  machine  to  be  the  parallel  com¬ 
position  of  E  machines.  The  semantics  of  the  E  machine  readily  carries  over  to  the  distributed 
case.  Communication  between  E  machines  is  modeled  by  identifying  ports  of  the  output  interfaces. 
Common  output  value  ports  of  multiple  E  machines  model  frames  send  on  the  networks  between 
the  machines.  A  frame  is  the  largest  non-preemptive  sequence  of  bits  which  can  be  send  on  a 
network.  Writing  to  a  common  output  value  port  corresponds  to  sending  a  frame. 

In  the  following  section  we  introduce  preliminary  definitions  which  will  be  used  throughout  the 
paper.  In  Section  3  we  define  the  E  machine  and  E  machine  configurations.  Section  4  describes 
abstract  and  concrete  syntax  as  well  as  the  semantics  of  each  instruction  of  the  E  machine.  In  the 
second  part  of  Section  4  we  formally  define  the  semantics  of  the  E  machine.  In  Section  5  we  define 
the  distributed  E  machine  which  is  a  parallel  composition  of  multiple  E  machines.  We  conclude 
the  paper  in  Section  6  with  a  discussion  of  future  work. 

2  Preliminaries 

In  this  section  we  define  the  notions  of  ports,  programs,  and  schedules  which  will  be  used  throughout 
the  paper. 

2.1  Ports 

A  port  is  a  variable  with  finite  type  and  a  unique  location  in  some  shared  memory.  Note  that  we 
use  shared  memory  as  a  logical  concept  not  an  implementation. 

Definition  2.1  (Port) 

A  port  is  a  tuple  (a,  T)  consisting  of  (1)  an  address  a  and  (2)  a  type  T.  An  address  is  a  non¬ 
negative  integer.  A  type  is  a  finite  set  of  values.  We  require  that  any  two  distinct  ports  have 
different  addresses. 

Memory  is  a  finite  set  of  ports.  We  may  call  memory  also  interface  depending  on  its  usage. 

Definition  2.2  (Memory) 

Memory  is  a  finite  set  mem  of  ports.  We  define  a  function  addresses  which  returns  the  set  of 
addresses  of  all  ports  in  mem  by  addresses{mem)  =  {a|(a, T)  G  mem}.  An  address  a  is  called 
valid  in  mem  if  a  G  addresses{mem).  We  use  *{a,mem)  to  denote  the  port  (a,  T)  G  mem  for  a 
valid  address  a  in  mem. 
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We  define  valuations  as  relations  between  port  addresses  and  values  for  notational  convenience 
although  valuations  are  actually  functions  assigning  unique  values  to  port  addresses. 

Definition  2.3  (Valuation) 

Let  (a,  T)  be  a  port  p.  A  valuation  for  p  is  a  tuple  (a,  v)  with  u  G  T.  Let  mem  be  some  memory.  A 
valuation  for  mem  is  a  set  p  of  valuations  for  all  ports  in  mem  such  that  for  all  (a,  vi)  £  p  and  for 
all  (6,  V2)  G  p  with  vi  /  V2  we  have  a  /  6.  A  valuation  induces  a  function  from  addresses  to  values. 
If  (a,  v)  £  p  then  p{a)  maps  a  to  the  value  v.  We  define  a  function  addresses  which  returns  the 
set  of  addresses  of  all  ports  in  a  valuation  p  by  addresses{p)  =  {a|(a,  u)  G  p}. 

We  define  an  update  function  for  valuations  in  order  to  replace  subsets  of  valuations  by  other 
valuations. 

Definition  2.4  (Update) 

Let  p  he  a  valuation  for  some  memory  mem  and  let  memr  be  a  subset  of  mem.  Let  A  be  the 
set  addresses{memr)  of  addresses  of  memr-  We  define  the  restriction  p\a  of  p  to  be  the  valu¬ 
ation  {(a,u)|(a, u)  £  p, a  £  A}.  The  extension  p\memr  to  restrictions  on  memories  is  given  by 
l^addresses{memr)-  ^^t  v  he  a  Valuation  for  memr-  We  define  the  function  update  which  replaces  the 
valuations  in  p  for  memr  by  valuations  in  n  by  update{p,  n)  =  {p  \  {p\addresses{u)))  U  n.  Note  that 
update{p,  v)  is  a  valuation  whenever  p  and  v  are  valuations. 

The  following  function  allows  to  increase  the  signal  counters  of  signal  ports. 

Definition  2.5  (Increase) 

Let  phe  a  valuation  for  some  memory  mem  and  let  memg  be  a  subset  of  all  signal  ports  in  mem. 
Let  S  be  the  set  addresses{mems)  of  addresses  of  memg.  The  function  increase,  given  by 
increase{p,  S)  =  update{p,  {{a,v  +  l)|(a,  u)  G  pis}),  increases  the  signal  counters  for  memg  in  p 
by  one. 

2.2  Programs 

We  restrict  the  number  of  maximum  number  of  arguments  of  a  machine  instruction  to  three  for 
notational  convenience. 

Definition  2.6  (Instruction) 

An  instruction  is  a  tuple  (ic,  ii,  i2,  is)  consisting  of  (1)  an  instruction  code  ic,  (2)  an  argument  ii, 
(3)  an  argument  i2,  and  (4)  an  argument  is.  An  instruction  code  is  a  three-letter  string.  We  define 
a  mapping  of  instruction  codes  to  integer  opcodes  in  the  appendix  in  Section  7.  An  argument 
is  a  non-negative  integer.  We  use  str(ii)(i2)(is)  to  denote  an  instruction  (str,  ii,  i2,  is)-  If  the 
instruction  only  uses  one  or  two  arguments  we  write  str(ii)  or  str(ii)(i2),  respectively.  If  the 
instruction  does  not  require  an  argument  at  all  we  write  str. 

A  program  is  a  finite  list  of  instructions  assigning  a  unique  program  address  to  each  instruction. 
The  program  address  of  the  first  instruction  may  be  any  non-negative  integer  which  we  call  the 
offset  of  the  program. 

Definition  2.7  (Program) 

A  program  eco  is  a  finite  list  (inso, . . .  ,insn)  of  instructions  insi  for  o  <  i  <  n.  We  call  o  the 
offset  and  n  the  end  of  eco.  We  use  *{i,  eco)  to  denote  the  instruction  insi.  The  index  i  is  called  a 
program  address.  A  program  address  a  is  called  valid  in  eco  if  there  is  an  instruction  insa  in  eco. 
A  program  counter  PC  is  a  non-negative  integer. 
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The  control  state  of  a  program  associates  non-negative  integers  with  program  addresses  in  the 
program.  We  use  the  control  state  for  dereferencing  the  arguments  of  indirect  jump  instructions. 

Definition  2.8  (Control  State) 

Let  eco  be  a  program  and  let  I  be  a  valid  program  address  in  eco.  Let  f  be  a  non-negative  integer. 
An  indirect  jump  address  for  i  in  eco  is  a  tuple  {i,l).  The  control  state  of  eco  is  a  set  p  of  indirect 
jump  addresses  in  eco.  Note  that  we  will  apply  the  update  function  for  valuations  to  update  the 
control  state. 

A  stack  is  a  list  of  non-negative  integers.  The  E  machine  maintains  a  single  LIFO  stack. 

Definition  2.9  (Stack) 

A  list  1st  is  a  finite  sequence  (Zq,  •  •  •  ,ln)  of  elements  k  for  0  <  f  <  n.  The  empty  list  is  denoted 
by  ()•  We  use  o  to  concatenate  lists.  We  denote  membership  by  I  G  Lst.  We  extend  set  exclusion  to 
lists  in  a  straight-forward  way.  For  a  given  subset  S  of  all  elements  of  1st,  the  list  lst\S  denotes  the 
list  1st  without  the  elements  of  S.  A  stack  stk  is  a  list  {into,  •  •  •  >  intn)  of  non-negative  integers  inti 
for  0  <  i  <  n. 

2.3  Schedules 

A  trigger  associates  E  code  with  the  state  of  a  signal  counter  of  a  signal  port.  A  trigger  determines 
which  E  code  is  to  be  executed  given  the  value  of  a  signal  counter  of  a  signal  port.  A  schedule  is  a 
list  of  triggers.  It  is  possible  that  multiple  triggers  in  a  schedule  are  active  at  the  same  instance. 

Definition  2.10  (Schedule) 

Let  eco  be  a  program  and  let  I  be  a  valid  program  address  in  eco.  Let  (s,T)  be  a  signal  port.  Let 
n  be  a  non-negative  integer.  A  trigger  on  s  is  a  tuple  {s,n,l).  A  schedule  on  some  memory  mem 
of  signal  ports  is  a  list  r  of  triggers  on  the  ports  in  mem. 

A  scheduled  reaction  determines  when  to  complete  scheduled  computation  or  communication. 
A  distributed  reaction  is  a  set  of  scheduled  reactions.  It  is  possible  that  multiple  scheduled  reactions 
in  a  distributed  reaction  will  be  completed  at  the  same  instance. 

Definition  2.11  (Distributed  Reaction) 

Let  (a,  Tfl)  and  (6,  T^)  be  two  signal  ports.  Let  S  either  be  the  empty  set  or  the  singleton  set  {b}. 
Let  /  be  a  function  defined  on  a  set  in  of  ports  and  let  n  he  a,  valuation  of  in.  Let  n  be  a  non¬ 
negative  integer.  A  scheduled  reaction  on  a  is  a  tuple  (a,  n,  f,  n,  S).  A  distributed  reaction  on  some 
memory  mem  of  signal  ports  is  a  set  6  of  scheduled  reactions  on  the  ports  in  mem. 

A  scheduled  reaction  formalizes  the  completion  of  scheduled  computation  and  communication. 
We  call  a  set  of  scheduled  reactions  a  distributed  reaction  because  in  an  implementation  of  the 
E  machine,  multiple  scheduled  reactions  at  the  same  instance  are  only  possible  on  different  machines 
of  a  distributed  E  machine.  On  a  single  E  machine  there  can  only  be  a  single  scheduled  reaction  at 
any  instance  because  there  can  only  be  a  single  task  or  message  being  completed  at  any  instance. 

3  The  Embedded  Machine 

The  E  machine  is  an  abstract  stack  machine  which  executes  E  code  from  a  program  eco  on  three 
different  types  of  memories.  The  environment  interface  of  the  E  machine  is  a  set  env  of  environment 
ports  whose  values  are  set  by  the  physical  environment  of  the  E  machine.  For  the  E  machine  the 
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env  interface  is  read-only.  The  environment  interface  is  partitioned  into  the  signal  interface  envg 
of  signal  ports  in  env  and  the  value  interface  env^  of  value  ports  in  env,  i.e.,  env  is  the  disjoint 
union  envg  U  enu„. 

The  internal  memory  of  the  E  machine  is  a  set  int  of  internal  ports  of  the  E  machine.  We 
assume  that  the  int  memory  is  not  observable  by  the  environment  or  any  other  E  machine.  We 
partition  int  into  the  signal  memory  intg  and  value  memory  intv  A  task  scheduled  by  the  eco 
program  may  only  read  from  a  subset  of  the  int  memory  and  write  to  a  subset  of  the  int^  memory. 

The  output  interface  of  the  E  machine  is  a  set  out  of  output  ports.  Eor  the  environment  the  out 
interface  is  read-only.  We  partition  out  into  the  signal  memory  outg  and  value  memory  outv  A 
message  scheduled  by  the  eco  program  may  either  read  from  a  subset  of  the  env  and  out  interface 
and  write  to  a  subset  of  the  inty  memory,  or  else  read  from  a  subset  of  the  int  memory  and  write 
to  a  subset  of  the  outy  interface. 

We  denote  the  overall  E  machine  memory  env  U  int  U  out  by  mem  which  is  partitioned  into 
signal  memory  memg  and  value  memory  memy,  i.e.,  mem  is  the  disjoint  union  memsUmemy  where 
mems  =  envs  U  intg  U  outs  and  memy  =  enVy  U  inty  U  outy.  The  E  machine  computes  valuations 
for  the  int  memory  and  out  interface  from  valuations  for  all  ports  of  the  overall  memory  mem. 

Definition  3.1  (Embedded  Machine) 

An  embedded  machine  (E  machine)  M  is  a  tuple  {eco,  env,  int,  out)  which  consists  of  (1)  a  pro¬ 
gram  eco,  (2)  an  interface  env,  (3)  a  memory  int,  and  (4)  an  interface  out.  We  require  envfMnt  =  0, 
env  n  out  =  0,  and  int  n  out  =  0. 

The  E  machine  maintains  a  valuation  pL  for  its  memory  mem,  a  schedule  r  of  its  triggers,  a 
distributed  reaction  5  of  its  scheduled  reactions,  and  a  control  state  p.  The  schedule  accumulates 
the  completed  and  pending  embedded  jumps.  The  distributed  reaction  specifies  when  scheduled 
tasks  and  messages  have  finished  and  will  finish.  An  indirect  jump  instruction  of  the  E  machine  uses 
p  to  dereference  its  arguments,  which  is  a  non-negative  integer,  to  an  absolute  program  address. 

Definition  3.2  (Configuration) 

Let  M  be  an  embedded  machine  {eco,  env,  int,  out).  A  configuration  C  of  M  is  a  tuple  {p,T,5,p) 
which  consists  of  (1)  a  valuation  p  for  envUintUout,  (2)  a  schedule  r,  (3)  a  distributed  reaction  6, 
and  (4)  a  control  state  p  of  eco. 

The  instruction  set  and  the  formal  semantics  of  the  E  machine  are  defined  in  the  next  section. 


4  Semantics 

Eor  the  definitions  in  this  section  let  M  be  an  embedded  machine  {eco,  env,  int,  out).  Let  mem 
be  the  overall  memory  of  M.  The  E  machine  internally  maintains  a  program  counter  PC  and  a 
stack  stk  of  non-negative  integers.  The  E  machine  uses  the  stk  stack  to  maintain  jump  addresses, 
signal  counters,  and  other  miscellaneous  values.  Configurations  of  M  are  denoted  by  c. 

4.1  The  E  Code  Semantics 

We  call  the  instruction  set  of  the  E  machine  E  code.  The  function  exec  defines  the  semantics  of 
E  code.  It  computes  sets  of  E  machine  configurations.  We  require  that  E  code  does  not  contain  in¬ 
finite  loops.  Note  that  we  do  not  cover  error  handling  in  the  definition  of  the  E  machine.  We  begin 
with  a  definition  of  synchronous  E  code  which  consists  of  all  instructions  except  the  instructions 
for  scheduled  computation.  In  the  logical  semantics  of  the  E  machine,  we  require  that  synchronous 
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E  code  is  executed  instantaneously  similar  to  the  logical  semantics  of  synchronous  reactive  lan¬ 
guages.  Note  that  instructions  like  push,  pop,  add,  the  no  operation,  the  comparison,  conditional 
and  absolute  jump  instructions  are  standard  machine  instructions.  These  instruction  are  conve¬ 
nient  but  not  necessary.  Other  choices  are  possible.  The  unique  features  of  the  E  machine  are  the 
embedded  jump  instruction  in  combination  with  the  synchronous  and  scheduled  call  instructions 
which  we  will  use  to  control  task  invocations  and  message  delivery. 

Synchronous  Computation.  The  synchronous  call  instruction  coni(/)  invokes  the  synchronous 
computation  of  an  external  function  /.  We  require  that  /  is  computable  and  is  defined  on  a  subset 
of  the  internal  ports  of  M.  Thus  /  can  neither  see  nor  affect  the  environment  directly. 

Definition  4.1  (Synchronous  Computation) 

Let  /  be  a  computable  function  which  maps  valuations  of  its  input  ports  in  which  are  a  subset  of  the 
internal  ports  int  to  valuations  of  its  output  ports  which  are  a  subset  of  the  internal  value  ports  int^ . 
We  define  the  semantics  of  the  instruction  com(/).  We  assume  that  *{PC,eco)  =  coni(/).  Then: 

exec{PC,  stk,  {/u,  r,  S,  p))  =  exec{PC  -|-  1,  stk,  {update{p,  f{p\in)),  t,  5,  p)) 

The  push  instruction  psh  pushes  its  argument  onto  the  stack. 

Definition  4.2  (Push) 

Let  i  be  a  non-negative  integer.  We  define  the  semantics  of  the  instruction  psh(f).  We  assume  that 
*{PC,eco)  =psh(i).  Then: 


exec{PC,  stk,  c)  =  exec{PC  -|-  1,  (f)  o  stk,  c) 

The  pop  instruction  pop  removes  the  top  value  from  the  stack. 

Definition  4.3  (Pop) 

We  define  the  semantics  of  the  instruction  pop.  Let  i  be  a  non-negative  integer.  We  assume  that 
*{PC,  eco)  =  pop.  Then: 


exec{PC,  (i)  o  stk,  c)  =  exec{PC  +  1,  stk,  c) 

The  add  instruction  add(j)  adds  j  to  the  top  value  i  of  the  stack.  Note  that  j  may  be  negative. 
add(j)  removes  i  from  the  stack,  adds  j  to  it,  and  then  pushes  the  result  r  back  onto  the  stack,  r 
is  equal  to  f  -|-  j  if  i  -|-  j  >  0,  or  else  r  is  zero. 

Definition  4.4  (Add) 

Let  i  a  non-negative  integer  and  let  j  be  an  integer.  We  define  the  semantics  of  the  instruction 
add(j).  We  assume  that  *{PC,eco)  =  add(j).  Then: 

exec{PC,  {%)  o  stk,  c)  =  exec{PC  -|-  1,  (i  -|-  j)  o  stk,  c) 

if  i  -|-  J  >  0,  or  otherwise 


exec{PC,  (i)  o  stk,  c)  =  exec{PC  -|-  1,  (0)  o  stk,  c) 

The  comparison  instruction  neq(j)  pushes  a  1  onto  the  stack  whenever  the  top  value  i  on  the 
stack  is  not  equal  to  j.  Otherwise,  it  pushes  0  onto  the  stack. 
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Definition  4.5  (Comparison) 

Let  f  be  a  non-negative  integer.  We  define  the  semantics  of  the  instruction  neq(j).  We  assume  that 
*{PC,eco)  =  neq(j).  Then: 

exec{PC,  (i)  o  stk,  c)  =  exec{PC  +  1,  (0,  i)  o  stk,  c) 


ii  i  =  j,  or  otherwise 


exec{PC,  (i)  o  stk,  c)  =  exec{PC  +  1,  (1,  i)  o  stk,  c) 

The  conditional  jump  instruction  cmp(/)  jumps  to  the  program  address  I  whenever  the  top 
value  i  on  the  stack  is  equal  to  zero.  More  precisely,  cmp(/)  reads  and  removes  the  top  value  i  from 
the  stack  and  then  loads  the  program  counter  with  its  argument  I  if  and  only  if  i  is  equal  to  zero. 

Definition  4.6  (Conditional  Jump) 

Let  i  be  a  non-negative  integer.  Let  I  be  a  valid  address  of  the  program  eco.  We  define  the  semantics 
of  the  instruction  cmp(l).  We  assume  that  *{PC,eco)  =  cnip(/).  Then: 

exec{PC,  (f)  o  stk,  c)  =  exec{l,  stk,  c) 


if  i  =  0,  or  otherwise 


exec{PC,  (i)  o  stk,  c)  =  exec{PC  +  1,  stk,  c) 

The  absolute  jump  instruction  jmp(/)  performs  a  jump  to  the  program  address  1.  It  loads  the 
program  counter  with  1. 

Definition  4.7  (Absolute  Jump) 

Let  I  be  a  valid  address  of  the  program  eco.  We  define  the  semantics  of  the  instruction  jmp(/).  We 
assume  that  *{PC,eco)  =  jmp(/).  Then: 

exec{PC,  stk,  c)  =  exec{l,  stk,  c) 

We  define  the  semantics  of  the  return  instruction  ret.  If  the  stack  of  the  E  machine  is  not 
empty,  ret  removes  the  top  value  from  the  stack  and  loads  the  program  counter  with  the  top  value. 
We  assume  that  this  value  is  a  program  address  which  has  been  pushed  onto  the  stack  by  a  previous 
push  instruction  or  an  embedded  jump  instruction.  In  this  case,  ret  behaves  similar  to  a  standard 
return  instruction  at  the  end  of  a  procedure.  If,  however,  the  stack  of  the  E  machine  is  empty,  ret 
stops  the  execution  of  the  current  program. 

Definition  4.8  (Return) 

Let  I  be  a  valid  program  address  in  eco.  We  define  the  semantics  of  the  instruction  ret.  We  assume 
that  *{PC,eco)  =  ret.  Then: 


exec{PC,  (),c)  =  {c} 


or 


exec{PC,  (1)  o  stk,  c)  =  exec{l,  stk,  c) 


The  instruction  nop  just  proceeds  to  the  next  instruction. 


While: 


psh(O) 
neq(lO) 
cmp(End : ) 
com(/) 
add(5) 
jmp(While : ) 

End :  pop 

ret 

Figure  1:  An  example  of  synchronous  E  code. 

prd(p) 
cmp(Else : ) 
com(/) 

Else:  ret 

Figure  2:  An  example  of  dynamic  E  code. 


Definition  4.9  (No  operation) 

We  define  the  semantics  of  the  instruction  nop.  We  assume  that  *{PC,  eco)  =  nop.  Then: 

exec{PC,  stk,  c)  =  exec{PC  +  1,  st/c,  c) 

Consider  the  basic  E  code  in  Eigure  1.  We  use  labels  of  the  form  label:  to  denote  program 
addresses.  The  program  implements  a  simple  while  loop.  It  invokes  a  function  /  two  times  before  it 
leaves  the  while  loop.  We  assume  that  each  external  function  is  associated  to  a  unique  non-negative 
integer.  We  overload  /  to  denote  this  integer.  Note  that  the  execution  of  the  program  is  assumed 
to  happen  in  zero  time. 

Dynamic  E  code.  In  this  paragraph  we  introduce  an  instruction  to  invoke  external  predicates. 
We  call  E  code  which  contains  predicate  instructions  dynamic  E  code.  The  instruction  prd(p) 
invokes  the  computation  of  an  external  predicate  p.  We  require  that  p  is  computable  and  is  defined 
on  a  subset  of  the  internal  ports  of  M. 

Definition  4.10  (Predicate) 

Let  p  be  a  computable  function  which  maps  valuations  of  its  input  ports  in  which  are  a  subset  of 
the  internal  ports  int  to  0  or  1 .  We  define  the  semantics  of  the  instruction  prd(p) .  We  assume  that 
*{PC,eco)  =prd(p).  Then: 

exec{PC,  stk,  (p,  r,  S,  p))  =  exec{PC  -|-  1,  (p(/u|m))  °  stk,  {p,  t,  5,  p)) 

Consider  the  dynamic  E  code  in  Eigure  2.  The  function  /  is  only  executed  if  the  predicate  p  is 
true  on  the  current  valuation  of  the  input  ports  of  p. 

Explicit  control  state.  We  use  the  control  state  p  of  the  E  machine  to  make  the  control  state 
of  E  code  available  to  computational  activity  in  the  future.  The  indirect  jump  instruction  imp(i) 
performs  a  jump  to  the  absolute  program  address  p{i)  by  dereferencing  its  argument  i  using  the 
control  state  p. 
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set(0)(Sl 

prd(p) 

cmp(Else 

set(0)(SO 

Else : 

imp(O) 

SO: 

com(/) 

SI: 

ret 

Figure  3:  An  example  of  E  code  with  explicit  control  state. 


Definition  4.11  (Indirect  Jump) 

Let  i  be  a  non-negative  integer  where  p{i)  is  a  valid  address  in  eco  and  p  is  the  control  state  of  the 
configuration  c.  We  define  the  semantics  of  the  instruction  imp(z).  We  assume  that  *{PC,eco)  = 
imp(f).  Then: 


exec(_,  stk,  c)  =  exec{p{i),  stk,  c) 

The  set  instruction  set(i)(l)  modifies  the  control  state  p  of  the  E  machine.  It  associates  its 
argument  i  with  the  program  address  I  in  p. 

Definition  4.12  (Set) 

Let  i  be  a  non-negative  integer  and  let  I  be  a  valid  address  in  eco.  We  define  the  semantics  of  the 
instruction  set(i)(l).  We  assume  that  *{PC,eco)  =  set(f)(l).  Then: 

exec{PC,  stk,  {p,  r,  5,  p))  =  exec{PC  +  1,  stk,  {p,  t,  5,  update{p,  {(f,  /)}))) 

Consider  the  E  code  in  Eigure  3.  Similarly  as  above,  the  function  /  is  only  executed  if  the 
predicate  p  is  true  on  the  current  valuation  of  the  input  ports  of  p. 

The  E  code  introduced  so  far  is  still  very  limited.  We  can  only  express  some  restricted  finite 
computational  activity.  The  E  machine  can  even  neither  see  nor  affect  any  state  values  of  the 
environment.  To  connect  the  E  machine  to  state  values  of  its  environment  and  of  its  output  we 
introduce  synchronous  read  and  write  instructions  in  the  next  paragraph. 

Synchronous  Communication.  In  order  to  allow  external  functions  to  see  and  affect  state 
values  of  the  environment  we  introduce  read  and  write  instructions  which  have  the  same  semantics 
as  the  synchronous  call  instruction  to  invoke  external  functions  but  with  different  restrictions  on 
their  arguments. 

Definition  4.13  (Read) 

Let  /  be  a  computable  function  which  maps  valuations  of  a  subset  in  of  the  environment  and 
output  ports  env  U  out  to  valuations  of  a  subset  of  the  internal  value  ports  .  The  semantics  of 
the  instruction  red(/)  is  exactly  the  same  as  the  semantics  of  the  instruction  com(/). 

Definition  4.14  (Write) 

Let  /  be  a  computable  function  which  maps  valuations  of  a  subset  in  of  the  internal  ports  int  to 
valuations  of  a  subset  of  the  output  value  ports  outy.  The  semantics  of  the  instruction  wrt(/)  is 
exactly  the  same  as  the  semantics  of  the  instruction  com(/). 
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While: 


psh(O) 
neq(lO) 
cmp(End : ) 
redlfr) 
com(/) 
wrt(/u,) 

add(5) 
jmp(While : ) 

End :  pop 

ret 

Figure  4:  An  example  of  closed  E  code. 


The  read  instruction  allows  the  E  machine  to  observe  whereas  the  write  instruction  allows 
to  change  state  values  of  the  environment.  E  code  containing  write  instructions  but  no  read 
instructions  is  called  open  E  code.  We  call  E  code  containing  read  and  write  instructions  closed 
E  code. 

Consider  the  closed  E  code  in  Eigure  4.  Let  fr  be  a  function  which  reads  from  an  environment 
port  and  updates  an  internal  port  pr-  Let  be  a  function  which  takes  the  value  from  an  internal 
port  pw  and  writes  it  to  an  output  port.  Let  /  be  a  function  mapping  values  from  the  internal 
port  Pr  to  values  in  the  internal  port  pw  The  program  implements  a  simple  while  loop.  Anytime 
before  it  invokes  /  the  instruction  red(/^)  copies  the  value  of  some  environment  port  to  the  internal 
port  Pr-  Thus  /  can  see  the  environment  of  the  E  machine.  Each  time  /  is  finished,  the  instruction 
wrt(/^)  copies  the  result  to  some  output  port.  Note  that  since  the  execution  of  the  program  is 
assumed  to  happen  in  zero  time,  both  invocations  of  /  will  see  the  same  value  in  the  environment. 

Embedded  Jump.  In  this  paragraph  we  define  the  semantics  of  the  embedded  jump  instruc¬ 
tion  and  the  deschedule  instruction.  We  require  for  the  execution  of  an  embedded  jump  instruc¬ 
tion  enip(s)(/)  that  the  stack  contains  at  least  one  value,  s  is  the  address  of  a  signal  port  and  I  is 
a  program  address.  enip(s)(^)  reads  the  top  value  n  from  the  stack.  If  n  is  equal  to  zero  it  pushes 
the  program  address  of  the  next  instruction  onto  the  stack  and  then  jumps  immediately  to  the 
program  address  1.  In  this  case  the  embedded  jump  corresponds  to  a  procedure  call  which  saves  a 
return  address  on  the  stack. 

If  n  is  greater  than  zero  it  inserts  a  trigger  (s,  m,  1)  into  the  schedule  r  where  m  =  //(s)  -|-  n  and 
Pl{s)  is  the  current  signal  counter  of  s.  An  embedded  jump  with  n  >  0  corresponds  to  an  absolute 
jump  performed  in  the  future  upon  the  m-th  occurrence  of  a  signal  in  s.  Note  that  a  return  address 
is  not  saved  on  the  stack. 

Definition  4.15  (Embedded  Jump) 

Let  s  be  the  address  of  a  signal  port.  Let  I  be  a  valid  address  of  the  program  eco.  We  define 
the  semantics  of  the  instruction  emp(s)(^).  Let  n  be  a  non-negative  integer.  We  assume  that 
*{PC,eco)  =  enip(s)(/).  Then: 

exec{PC,  (0)  o  stk,  c)  =  exec{l,  {PC  -|-  1,  0)  o  stk,  c) 


or,  if  n  >  0: 

exec{PC,  (n)  o  stk,  {p,,  r,  5,  p))  =  exec{PC  +  1,  (n)  o  stk,  {p,  r  o  {{s,  p{s)  +  n,  l)),S,  p)) 
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Invoke_f : 


psh(O) 

emp(clk)(Function_f : ) 
pop 
ret 

Fuiiction_f :  red(fr) 

com(/) 
wrt(/u,) 
ret 

Figure  5:  An  example  of  synchronous  E  code  with  a  procedure  call. 


Invoke_g:  psh(O) 

While:  neq(lO) 

cmp(End : ) 

emp(clk)(Function_g: ) 

add(5) 

jmp(While : ) 

End:  pop 

ret 

Function_g:  com(gf) 

ret 

Figure  6:  An  example  of  synchronous  E  code  with  a  loop  around  an  embedded  jump. 


An  example  of  synchronous  E  code  with  a  procedure  call  is  depicted  by  Figure  5.  elk  is  the 
address  of  a  signal  port  of  the  environment  interface.  We  assume  that  the  signal  counter  of  elk 
is  increased  periodically  by  a  1ms  tick  of  a  real-time  clock.  We  first  push  a  zero  onto  the  empty 
stack  and  then  perform  an  embedded  jump  to  Function_f :.  In  this  case,  the  jump  behaves  like 
a  procedure  call  pushing  the  program  address  of  the  following  pop  instruction  onto  the  stack  and 
then  jumping  to  Function.f  : .  The  following  three  instructions  are  similar  to  the  example  depicted 
by  Figure  4.  The  final  return  instruction  jumps  to  the  program  address  which  has  been  saved  on 
the  stack  by  the  previous  embedded  jump.  Finally,  the  zero  on  the  stack  is  removed  from  the  stack 
and  the  program  exits. 

An  example  of  synchronous  E  code  with  a  loop  around  an  embedded  jump  is  depicted  by 
Figure  6.  The  first  invocation  of  the  embedded  jump  behaves  like  a  procedure  call  to  Function.g: 
similar  to  the  example  depicted  by  Figure  5.  However,  the  second  invocation  sees  a  five  on  the 
stack.  In  this  case,  the  embedded  jump  adds  a  trigger  (elk,  k  +  5,  Function_g: )  to  the  schedule  of 
the  E  machine  where  k  is  the  current  time  in  elk.  Thus  the  code  at  Function_g:  will  be  executed 
exactly  in  Sms.  At  the  current  instance,  however,  the  E  machine  proceeds  immediately  and  finishes 
the  loop  and  exits. 

Consider  the  synchronous  E  code  in  Figure  7.  The  program  invokes  the  function  /  every  20ms 
and  the  function  g  every  Sms  as  long  as  the  predicate  p  returns  zero  which  is  checked  every  10ms. 
As  soon  as  p  returns  a  one  the  E  machine  stops.  This  example  has  been  motivated  by  the  time- 
triggered  semantics  of  Giotto  [HHKOO]. 

The  deschedule  instruction  complements  the  embedded  jump  instruction  in  the  sense  that  a 
trigger  which  has  previously  been  inserted  into  the  schedule  r  by  an  embedded  jump  can  be  removed 
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Minorl:  psh(O) 

emp(clk)(lnvoke_f : ) 
emp(clk)(lnvoke_g: ) 
add(lO) 

emp(clk)(Check_Minorl : ) 

pop 

ret 

Check_Minorl :  prd(p) 

cmp(Minor2 : ) 
ret 

Minor2:  psh(O) 

emp(clk)(lnvoke_g: ) 
add(lO) 

emp(clk)(Check_Minor2 : ) 

pop 

ret 

Check_Minor2 :  prd(p) 

cmp(Minorl : ) 
ret 

Figure  7:  An  example  of  a  Giotto  implementation. 


by  the  deschedule  instruction.  An  application  of  the  deschedule  instruction  is  the  implementation 
of  timeouts. 

Definition  4.16  (Deschedule) 

Let  s  be  the  address  of  a  signal  port.  Let  I  be  a  valid  address  of  the  program  eco.  We  define 
the  semantics  of  the  instruction  des{s){l).  Let  n  be  a  non-negative  integer.  We  assume  that 
*{PC,eco)  =  des{s){l).  Then: 

exec{PC,  (n)  o  stk,  {fi,  r,  5,  p))  =  exec{PC  -|-  1,  (n)  o  stk^  {p,  r  \  {(s,  p{s)  +  n,  1)},S,  p)) 
if  n  >  0. 

Scheduled  Computation.  Synchronous  computation  is  logically  instantaneous  computation. 
An  implementation  of  the  E  machine  can  only  approximate  this  assumption  on  the  semantics. 
Scheduled  computation^  on  the  other  hand,  is  computation  which  strictly  takes  time.  We  define 
the  scheduled  call  instruction  cal(s®)(/)(s*)  for  scheduled  computation  of  external  functions  which 
complements  the  synchronous  call  instruction  com(/).  We  call  E  code  containing  instructions  for 
scheduled  computation  scheduled  E  code.  We  require  that  /  is  computable  and  is  defined  on  a 
subset  of  the  internal  ports  of  M.  Thus  /  can  neither  see  nor  affect  the  environment  directly. 
We  assume  that  the  worst-case  execution  time  of  /  is  known  and  is  available  to  any  scheduling 
algorithm  used  by  the  E  machine. 

The  scheduled  call  instruction  cal(s®)(/)(s*)  schedules  the  computation  of  /  whose  execution 
strictly  takes  time,  s®  is  the  address  of  a  signal  port  in  the  environment  interface,  s*  is  the  address  of 
a  signal  port  in  the  internal  memory.  We  require  for  the  execution  of  the  instruction  that  the  stack 
contains  at  least  one  value  n  >  0.  The  computation  of  /  may  finish  non-deterministically  before  or 
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Function_f : 

red(/^) 
psh(20) 
cal(clk)(/) 
enip(clk)  (Write 

pop 

ret 

Write : 

wrt(/^^,) 

ret 

Function_g: 

psh(5) 

cal(clk)(5() 

pop 

ret 

Figure  8:  An  example  of  E  code  with  scheduled  computation. 


at  the  m-th  occurrence  of  a  signal  in  s®  where  m  =  +  n.  Note  that  whenever  the  computation 

of  /  finishes  after  the  m-th  occurrence  its  result  will  be  discarded  by  the  E  machine.  We  require 
that  /  reads  its  input  values  upon  execution  of  the  scheduled  call  instruction.  The  result  of  the 
computation  is  written  to  the  machine  memory  when  the  computation  of  /  is  finished  on  time.  Then 
also  the  signal  counter  in  s*  is  increased  by  one,  effectively  emitting  a  signal  in  the  internal  memory 
at  the  completion  of  the  computation  of  /.  Technically,  the  instruction  cal(s®)(/)(s*)  inserts  a 
scheduled  reaction  (s®,  /,  ^\in-,  {s*})  for  some  i  with  0  <  i  <  n  into  the  distributed  reaction 

of  the  E  machine.  The  scheduled  reaction  will  become  effective  when  the  signal  counter  of  s®  reaches 
-|-  i.  Note  that,  in  general,  the  scheduled  call  instruction  leads  to  non-deterministic  runs  of 
the  E  machine  because  any  choice  of  i  with  0  <  i  <  n  is  valid. 

As  opposed  to  synchronous  reactive  languages  only  scheduled  computation  in  the  E  machine  is 
allowed  to  emit  signals.  Note  that  the  instruction  cal(s®)(/)  is  a  special  case  in  which  no  signal 
counter  is  increased.  The  non-determinism  of  the  duration  of  scheduled  computation  has  to  be 
resolved  by  an  arbitrary  scheduling  algorithm  which  is  a  parameter  of  the  E  machine.  Scheduled 
computation  which  does  not  finish  before  its  scheduled  reaction  has  to  be  discarded  by  a  valid 
implementation  of  the  E  machine. 

Definition  4.17  (Scheduled  Computation) 

Let  s®  be  the  address  of  an  environment  signal  port  and  let  s*  be  the  address  of  an  internal  signal 
port.  Let  /  be  a  computable  function  which  maps  valuations  of  a  subset  in  of  the  internal  ports  int 
to  valuations  of  a  subset  of  the  internal  value  ports  intv  Let  n  be  a  non-negative  integer.  We  define 
the  semantics  of  the  instruction  cal(s®)(/)(s*)  and  cal(s®)(/).  If  *{PC,eco)  =  cal(s®)(/)(s*)  then 
let  S  =  {s*},  or  else  if  *{PC,eco)  =  cal(s®)(/)  then  let  5  =  0.  Then: 

exec{PC,  (n)  o  stk,  {fj.,  r,  5,  p))  =  U  exec{PC  -|-  1,  (n)  o  stk,  {p,  r,  S,  p)) 
with  =  Uo<i<n  exec{PC  +  1,  (n)  o  stk,  {p,  r,  5  U  {(s'",  p{s^)  +  i,  /,  p\in,  S)},p)). 

Consider  the  scheduled  E  code  in  Eigure  8.  This  example  replaces  the  code  labelled  Function_f  : 
and  Function.g:  depicted  by  Eigure  5  and  Eigure  6,  respectively.  Now,  the  computation  of  g  may 
take  up  to  5ms  whereas  the  computation  of  /  may  take  up  to  20ms.  Note  that  the  write  instruction 
subsequent  to  the  computation  of  /  has  to  be  delayed  until  the  computation  of  /  is  completed.  The 
semantics  of  the  E  machine  guarantees  that  the  result  of  the  computation  of  /  is  available  before 
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Function.f :  red(fr) 

psh(20) 

cal(clk)(/)(fin) 

pop 

psh(l) 

emp(fin)  (Write : ) 

pop 

ret 

Figure  9:  An  example  of  E  code  with  scheduled  computation. 


or  at  the  next  20ms  instance  and  strictly  before  any  other  synchronous  E  code  scheduled  to  begin 
at  the  next  20ms  instance  is  invoked. 

Another  way  to  replace  the  code  labelled  Function_f  :  depicted  by  Eigure  8  is  shown  in  Eigure  9. 
Now,  we  use  an  additional  internal  signal  port  with  address  fin  whose  signal  counter  is  increased 
by  one  as  soon  as  the  computation  of  /  finishes.  This  implies  that  the  write  instruction  may  be 
performed  earlier  than  within  the  next  20ms. 

The  termination  instruction  complements  the  scheduled  call  instruction  in  the  sense  that  a 
scheduled  reaction  which  has  previously  been  inserted  into  the  distributed  reaction  <5  by  a  sched¬ 
uled  call  instruction  can  be  removed  by  the  termination  instruction.  Termination  corresponds  to 
terminating  scheduled  computation  and  communication  within  a  given  interval  of  signal  counters. 

Definition  4.18  (Termination) 

Let  s®  be  the  address  of  an  environment  signal  port  and  let  S  either  be  the  empty  set  or  a  singleton 
set  {s*}  where  s*  is  the  address  of  a  signal  port.  Let  /  be  a  function  and  let  n  he  a  valuation.  We 
define  the  semantics  of  the  instruction  trni(s®)(/).  Let  n  be  a  non-negative  integer.  We  assume 
that  *{PC,eco)  =  trni(s®)(/).  Then: 

exec{PC,  (n)  o  stk,  (^,  r,  6,  p))  =  exec{PC  -|-  1,  (n)  o  stk,  {p,  t,6\  p)) 

with  (5*^™  =  {d\d  =  (s^  p{s^)  +i,f,u,S)  e6,0<i<n}. 

Scheduled  Communication.  Similar  to  scheduled  computation,  we  introduce  instructions  for 
scheduled  communication  which  strictly  takes  time  as  opposed  to  synchronous  communication.  Note 
that  the  termination  instruction  may  also  be  used  to  terminate  scheduled  communication.  We  define 
a  polling  instruction  pol(s®)(/)(s*)  and  a  send  instruction  snd(s®)(/)(s*)  for  scheduled  communi¬ 
cation  which  complement  the  synchronous  read  instruction  red(/)  and  write  instruction  wrt(/), 
respectively.  We  assume  that  the  worst-case  latency  of  /  is  known  and  available  to  any  scheduling 
algorithm  used  by  the  E  machine. 

Definition  4.19  (Poll) 

Let  s®  be  an  environment  signal  port  and  let  s*  be  an  internal  signal  port.  Let  /  be  a  computable 
function  which  maps  valuations  of  a  subset  in  of  the  environment  and  output  ports  env  U  out  to  val¬ 
uations  of  a  subset  of  the  internal  value  ports  inp.  The  semantics  of  the  instruction  pol(s®)(/)(s*) 
and  pol(s®)(/)  is  the  same  as  the  semantics  of  the  instruction  cal(s®)(/)(s*)  and  cal(s®)(/),  re¬ 
spectively. 
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Function_f : 


red(/^) 
psh(15) 
cal(clk)(/) 
enip(clk)  (Write : ) 
pop 
ret 

Write:  psh(5) 

snd(clk)(/^) 

pop 

ret 

Figure  10:  An  example  of  E  code  with  scheduled  computation  and  communication. 


Definition  4.20  (Send) 

Let  s®  be  an  environment  signal  port  and  let  be  an  output  signal  port.  Let  /  be  a  computable 
function  which  maps  valuations  of  a  subset  in  of  the  internal  ports  int  to  valuations  of  a  subset  of 
the  output  value  ports  out^.  The  semantics  of  the  instruction  snd(s®)(/)(s°)  and  snd(s®)(/)  is  the 
same  as  the  semantics  of  the  instruction  cal(s®)(/)(s°)  and  cal(s®)(/),  respectively. 

Figure  10  shows  scheduled  E  code  which  replaces  the  code  labelled  Function_f :  depicted  by 
Figure  8  and  Figure  9.  Now,  we  shorten  the  deadline  of  the  computation  of  /  to  15ms  and  send,  at 
the  next  15ms  instance  its  result  to  some  output  port  within  the  next  5ms.  The  send  instruction 
may  also  be  triggered  by  an  additional  signal  port  similar  as  the  example  of  Figure  9. 

4.2  The  E  Machine  Semantics 

We  define  the  formal  semantics  of  the  E  machine  in  terms  of  sequences  of  configurations.  We  dis¬ 
tinguish  the  deterministic  dispatcher  and  the  non-deterministic  scheduler  of  the  E  machine.  The 
scheduler  is  non-deterministic  in  the  sense  that  it  does  not  specify  the  completion  times  of  sched¬ 
uled  computation  and  communication  which  effectively  makes  it  compatible  with  any  scheduling 
algorithm.  In  order  to  compute  a  new  configuration,  the  scheduler  first  calls  the  dispatcher  to  up¬ 
date  the  memory  according  to  all  computations  and  communication  which  have  been  scheduled  to 
finish  now.  Note  that  in  an  implementation  of  the  E  machine  the  dispatcher  is  usually  not  called  by 
the  scheduler  but  upon  completion  of  scheduled  computation  and  communication  by  the  completed 
tasks  and  messages  themselves.  Based  on  the  updated  memory  and  the  current  set  of 
signal  counters  the  scheduler  executes  embedded  jumps  which  were  waiting  for  resulting  in 
new  embedded  jumps  in  the  future  and  possibly  new  scheduled  computation  and  communication. 

Given  a  set  a  of  signal  counters  from  the  environment  interface,  the  dispatcher  collects  the  results 
of  all  completed  scheduled  reactions  which  have  been  scheduled  to  finish  at  a.  The  dispatcher 
updates  value  ports  and  may  increase  the  signal  counters  of  signal  ports.  Recall  that,  e.g.,  the 
scheduled  call  instruction  cal(s®)(/)(s*)  modifies,  upon  completion,  the  valuation  of  value  ports 
to  which  /  writes  and  also  increases  the  signal  counter  of  s*.  In  general,  there  might  be  multiple 
completed  scheduled  reactions  at  the  same  instance  which,  however,  in  practice  are  only  possible 
on  different  E  machines  of  a  distributed  E  machine. 

Definition  4.21  (Dispatcher) 

Let  M  be  an  embedded  machine  {eco,env,int,out).  The  dispatcher  of  M  is  a  function  dispatch 
which  maps  a  set  a  of  signal  counters,  a  valuation  p,  for  the  overall  memory  mem  of  M,  and  a 
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distributed  reaction  5  of  M  to  a  valuation  for  mem  as  follows: 

1.  We  assume  that  the  set  a  contains  signal  counters  of  all  environment  signal  ports  which  just 

have  been  increased  by  one  indicating  the  occurrence  of  a  signal.  We  compute  the  set  5^'^^ 
of  completed  scheduled  reactions  from  the  distributed  reaction  5:  ^  a,  d  = 

{s,n,f,iy,S)  G  (5}. 

2.  In  we  collect  all  signal  ports  from  the  completed  scheduled  reactions  whose  counters 

will  be  increased  by  one:  =  {s*|(s,  n,  /,  v,  S)  G  s*  G  S}. 

3.  We  compute  inductively  the  updated  valuation  of  the  E  machine  memory  by  first  initializing: 
do  =  and  /jq  =  jj,. 

4.  For  all  i  >  0  for  which  there  is,  non-deterministically,  a  completed  scheduled  reaction  d  = 
{s,n,  f,u,  S)  G  Si,  let  us  remove  d  in  dj+i  =  d,  \  {d}  and  update  //j+i  =  update{pLi,  f{v))  by 
the  valuation  f(i/)  computed  by  the  function  /  on  the  valuation  u  for  the  input  ports  of  /. 

5.  Finally,  we  increase  the  signal  counters  of  by  one  and  return  the  last  valuation  /x'  with: 
p.'  =  increase{fXk,  and  k  =  min{{i\i  >  0,5i  =  0}). 

The  scheduler  of  the  E  machine  computes  for  a  given  configuration  a  set  of  new  configura¬ 
tions  which  contains  all  possible  schedules.  Whenever  an  implementation  of  the  E  machine  uses  a 
scheduling  algorithm  which  is  deterministic  with  respect  to  occurrences  of  signals,  i.e.,  the  progress 
of  time  and  the  occurrences  of  events,  the  scheduler  will  become  deterministic  up  to  changes  at  the 
environment  interface. 

The  scheduler  first  calls  the  dispatcher  to  collect  the  results  of  the  completed  scheduled  reactions. 
Then  it  determines  the  set  of  active  triggers  in  the  schedule  r.  A  trigger  (s,  n,  1)  is  active  if 
the  signal  counter  of  s  reached  n.  The  scheduler  executes  the  E  code  at  the  program  address  1. 
Multiple  active  triggers  are  executed  in  the  order  of  the  previous  execution  of  the  embedded  jumps 
which  created  the  triggers. 

Definition  4.22  (Scheduler) 

Let  M  be  an  embedded  machine  {eco,env,int,out).  Let  c  and  c'  be  two  configurations  of  M  of 
the  form  {fi,T,S,p)  and  {p! ,t' ,5' ,  p'),  respectively.  The  scheduler  scd  of  M  is  a  relation  on  pairs  of 
configurations  with  (c,  d)  G  scd  if  and  only  if: 

1.  In  order  to  compute  the  completed  scheduled  reactions  first,  we  begin  with  collecting  all  signal 

ports  of  the  environment  interface  whose  signal  counters  have  been  increased  from  c  to  d: 
^cpi  _  \  p\envs-  Recall  that  reactions  of  scheduled  computation  and  communication 

may  only  be  scheduled  with  respect  to  signal  ports  of  the  environment  interface. 

2.  We  compute  the  results  of  the  completed  scheduled  reactions  based  on  the  new  valuations 

of  the  environment  interface  and  use  the  last  valuations  of  the  internal  memory  and  output 
interface:  =  p'\env  U  p\intuout- 

3.  p*^^P  =  dispatch{a'^P\  p^P\  S)  incorporates  the  results  of  all  completed  scheduled  reactions 
written  to  p^P^  by  the  dispatcher. 

4.  =  envs  U  intg  U  outg  is  the  set  of  all  signal  ports  of  M  which  may  now  activate  triggers. 

5.  We  will  compute  all  active  triggers  based  on  the  set  \p\gact  of  the  signal  ports 

whose  signal  counters  have  been  increased  from  c  to  d  at  the  environment  interface  as  well 
as  in  the  internal  memory  and  at  the  output  interface. 
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6.  In  =  t  \  {t|t  =  {s,n,l)  G  T,{s,n)  ^  we  collect  all  active  triggers  of  the  current 

schedule  r. 

7.  We  compute  inductively  the  updated  versions  of  the  valuation,  the  schedule,  the  distributed 
reaction,  and  the  control  state  of  the  E  machine  by  first  initializing:  fiQ  =  tq  =  r,  (5o  =  5, 
and  po  =  p. 

8.  For  all  i  >  0  for  which  there  is  an  active  trigger  t  of  the  form  (s,  n,  1)  such  that  = 
(t)  o  we  update  pi+i  =  update{pi,  pt),  Tj+i  =  n,  di+i  =  St,  and  pj+i  =  update{pi,  pt) 
according  to  the  execution  of  the  E  code  at  the  program  address  I  with  {pt,Tt,St,  pt)  G 
exec{l,  {),  {pi,Ti,  Si,  Pi)).  Note  that  Tj+i  and  Si+i  are  replaced  by  Tt  and  St,  respectively, 
rather  than  being  extended.  This  allows  triggers  and  scheduled  reactions  not  only  to  be 
added  but  also  to  be  removed  from  the  schedules.  In  particular,  removing  a  scheduled  reaction 
corresponds  to  terminating  scheduled  computation  or  communication. 

9.  Finally,  a  new  configuration  d  consists  of  p'  =  pt,  t'  =  Tk,  S'  =  Sk,  and  p'  =  pk  with 
k  =  min{{i\i  >  0,r“^*  =  ()}). 

We  define  the  semantics  of  the  embedded  machine  in  terms  of  sequences  of  configurations. 
Stuttering  with  respect  to  signals  at  the  environment  interface  occurs  whenever  there  is  no  active 
trigger  and  no  completed  scheduled  reaction. 

Definition  4.23  (Run) 

Let  scd  be  the  scheduler  of  an  embedded  machine  M.  Let  C  be  a  set  of  initial  configurations  of  M. 
A  run  of  M  is  a  sequence  cq,  ci,  C2,  . . .  with  cq  G  C  and  scd{ci,  Q+i)  for  all  i  >  0. 

5  The  Distributed  Embedded  Machine 

We  define  the  parallel  composition  of  multiple  E  machines  where  some  output  ports  of  one  machine 
may  be  equal  to  some  output  ports  of  another  machine.  Simultaneous  write  access  by  multiple 
machines  is  scheduled  non-deterministically  by  the  E  machine  which  effectively  makes  the  machine 
compatible  with  any  write  access  protocol.  The  ports  of  the  environment  interface,  on  the  other 
hand,  are  required  to  be  controlled  exclusively  by  the  physical  environment  rather  than  other 
E  machines. 

We  formally  define  the  parallel  composition  of  E  machines.  The  result  of  the  parallel  composition 
of  E  machines  is  the  distributed  embedded  maehine.  Most  importantly,  the  semantics  of  the  non- 
distributed  E  machine  carries  over  to  the  distributed  E  machine  without  further  enhancements. 

Definition  5.1  (Machine  Composition) 

Let  Ml  be  a  (distributed)  embedded  machine  {ecoi,  envi,  inti,  out i)  and  let  M2  be  a  (distributed) 
embedded  machine  {eco2,env2,int2,out2)  such  that  either  the  end  of  ecoi  is  strictly  smaller  than 
the  offset  of  eco2  or  the  end  of  eco2  is  strictly  smaller  than  the  offset  of  ecoi,  envi  n  out2  =  0, 
env2  n  outi  =  0,  inti  H  {env2  U  int2  U  0M2)  =  0,  and  int2  n  {envi  U  inti  U  outi)  =  0.  The 
composition  Mi||M2  of  Mi  and  M2  is  a  tuple  {eco,env,int,out)  with: 

eco  =  ecoi  o  eco2 


env  =  envi  U  env2 
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int  =  inti  U  int2 


out  =  out  I  U  out 2 

Note  that  ||  is  associative  and  commutative  up  to  the  order  of  the  E  code  of  the  composed 
machines  which  does  not  have  any  effects  on  the  semantics  of  the  composition. 

Definition  5.2  (Distributed  Embedded  Machine) 

A  distributed  embedded  maehine  is  the  composition  of  (distributed)  embedded  machines. 

6  Conclusion 

We  conclude  with  a  discussion  of  particularly  interesting  platforms  on  which  the  embedded  machine 
may  be  implemented.  The  time-triggered  maehine  is  a  special  case  of  the  embedded  machine  in 
which  we  allow  only  a  single  signal  port  elk  in  the  environment  interface.  We  assume  that  a  real¬ 
time  clock  increases  periodically  the  signal  counter  of  elk.  Thus  the  physical  environment  can 
only  trigger  computational  activity  in  the  time-triggered  machine  through  the  signal  port  elk.  In 
particular,  events  in  the  physical  environment  can  only  be  observed  in  a  time-triggered  fashion  by 
keeping  track  of  the  valuations  of  the  value  ports  in  the  environment  interface. 

Definition  6.1  (Time- Triggered  Machine) 

The  {distributed)  time-triggered  maehine  (TT  Machine)  is  a  (distributed)  embedded  machine  with 
an  environment  interface  which  contains  only  a  single  signal  port  elk.  We  assume  that  a  real¬ 
time  clock  increases  periodically  the  signal  counter  of  elk.  We  require  that  there  are  no  shared 
output  signal  ports  in  the  output  interface  among  any  of  its  component  machines.  We  may  call  an 
embedded  jump  em'p{clk){l)  of  the  TT  machine  a  temporal  jump  denoted  by  tmp(/). 

The  time-triggered  architecture  (TTA)  [Kop97]  is  an  interesting  platform  to  implement  the  dis¬ 
tributed  time-triggered  machine.  A  TTA  requires  implieit  clock  synchronization  which  allows  TTA 
applications  to  exploit  the  existence  of  a  global  clock.  It  is  thus  not  necessary  for  a  TTA  application 
to  use  signals  across  machines  to  control  computation  and  communication.  Note,  however,  that 
a  TTA  on  the  lowest  operational  level  of  the  time-triggered  protocol  (TTP)  uses  signals  across 
machines  because  this  is  an  inherent  part  of  networking  in  general.  It  is  also  possible  to  model  the 
operational  level,  in  particular,  of  the  TTP  controllers  by  a  more  complex  distributed  embedded 
machine  with  a  single  signal  port  elk  in  the  environment  interface  but  with  shared  output  signal 
ports  in  the  output  interfaces  of  its  component  machines. 

Another  interesting  platform  for  the  distributed  embedded  machine  is  the  globally  asynchronous 
locally  synchronous  (GALS)  architecture  [BCGOO]  in  which  implicit  global  synchronization  is  re¬ 
placed  by  explieit  and  direeted  clock  synchronization.  A  receiver  synchronizes  its  clock  with  the 
clock  of  a  sender  only  upon  the  arrival  of  a  new  message  from  the  sender.  All  local  clocks  in  a 
GALS  architecture  will  effectively  be  synchronized  if  all  nodes  in  the  system  are  senders  and  re¬ 
ceivers  which  engage  in  a  periodic  exchange  of  messages.  The  explicit  and  directed  synchronization 
can  be  modeled  with  E  machine  signals  crossing  the  networks  of  a  GALS  architecture. 

Future  work  with  the  E  machine  includes  the  design  of  a  compiler  which  generates  E  code 
for  the  time-triggered  programming  language  Giotto  [HHKOO].  The  compiler  may  be  part  of  the 
software  architecture  Ptolemy  II  [DGH+99]  in  which  we  have  implemented  Giotto  as  a  model  of 
computation.  More  complex  code  generation  may  result  from  combinations  of  Giotto  with  other 
models  of  computation  in  Ptolemy  II  like,  e.g.,  the  finite  state  machine  and  the  synchronous  data 
flow  models. 
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7  Appendix:  Opcodes 


[HHKOO] 

[Kop97] 

[LY99] 

[PS98] 

[TPWOO] 


Instruction 

Opcode 

Instruction 

Opcode 

nop 

0 

set 

10 

emp 

1 

ret 

11 

des 

2 

cal 

12 

com 

3 

pol 

13 

red 

4 

snd 

14 

wrt 

5 

trm 

15 

prd 

6 

psh 

16 

cmp 

7 

pop 

17 

jmp 

8 

add 

18 

imp 

9 

neq 

19 

20 


